Outbound network access destinations for Azure

If you have limited outbound internet access (for example due to using a firewall or proxy), review this content to learn which specific outbound destinations must be available in order to register a CDP environment.

The following list includes general destinations as well as Azure-specific destinations:

Description/Usage CDP service Destination Protocol and Authentication IP Protocol/Port Comments
AMPs

Applied ML Prototypes

Machine Learning https://raw.githubusercontent.com

https://github.com

HTTPS TCP/443 Files for AMPs are hosted on GitHub.
Cloudera CCM

Persistent Control Plane connection

All services IP: 44.234.52.96/27

Hostname pattern: *.ccm.cdp.cloudera.com

SSH public/private key authentication TCP/6000-6049 One connection per cluster configured; persistent.
Cloudera Databus

Telemetry, billing and metering data

All services dbusapi.us-west-1.sigma.altus.cloudera.com

*.s3.amazonaws.com

HTTPS with Cloudera-generated access key for dbus

HTTPS for S3

TCP/443 Regular interval for telemetry, billing, metering services, and used for Workload Manager if enabled. Larger payloads are sent to a Cloudera managed S3 bucket.
Cloudera Manager parcels

Software distribution

Data Hub

Data Lake

Data Engineering

Operational Database

archive.cloudera.com HTTPS TCP/443 Cloudera’s public software repository. CDN backed service; IP range not predictable.
Control Plane API Data Engineering

Machine Learning

api.us-west-1.cdp.cloudera.com HTTPS with Cloudera-generated access key TCP/443 Cloudera’s control plane REST API.
Docker Images

Software Distribution

Data Engineering

Machine Learning

container.repository.cloudera.com

docker.repository.cloudera.com

HTTPS TCP/443 Cloudera’s public docker registry. CDN backed service; IP range not predictable.
Docker Images

Software Distribution

Data Engineering

Data Warehouse

container.repo.cloudera.com *.s3.<region>.amazonaws.com

s3-r-w.<region>.amazonaws.com

*.execute-api.<region>.amazonaws.com

Additionally, the following are required only for old/existing DW environments:

auth.docker.io*

cloudera-docker-dev.jfrog.io*

docker-images-prod.s3.amazonaws.com*

gcr.io*

k8s.gcr.io*

quay-registry.s3.amazonaws.com*

quay.io*

quayio-production-s3.s3.amazonaws.com*

docker.io*

production.cloudflare.docker.com*

storage.googleapis.com*

HTTPS TCP/443 Moved to container.repo.cloudera.com

container.repo.cloudera.com uses ECR which requires S3 URLs.

General Azure guidelines All See Safelist the Azure portal URLs on your firewall or proxy server for Azure egress best practices.
Azure Kubernetes Services (AKS) Data Engineering

Data Warehouse

Machine Learning

See Control egress traffic for cluster nodes in Azure Kubernetes Service (AKS).
Azure Data Lake Storage Gen 2 Data Lake

Data Hub

Data Engineering

Operational Database

<storage account name>.dfs.core.windows.net HTTPS

Azure authentication

TCP/443 Azure Storage VPC endpoint is required (Microsoft.Storage).
Azure Database for Postgres Data Lake

Data Hub

Data Warehouse

Machine Learning

*.postgres.database.azure.com JDBC / Postgres binary protocol TCP/5432 Azure SQL VPC endpoint is required (Microsoft.Sql).
ARM to manage User Assigned Managed Identities Data Lake management.azure.com HTTPS

Azure authentication

TCP/443 This can be allowed by using the AzureResourceManager Azure service tag. Additionally IP addresses to whitelist are available to download.
Microsoft Log Analytics All services *.agentsvc.azure-automation.net

*.ods.opinsights.azure.com

*.oms.opinsights.azure.com

*.blob.core.windows.net

HTTPS

Azure authentication

TCP/443 Optional; but may cause issues with Azure approved images if blocked.
Azure Database for MySQL Data Engineering *.mysql.database.azure.com JDBC / Postgres binary protocol TCP/3306 Azure Database for MySQL
Azure files Data Engineering *.file.core.windows.net SMB TCP/445 What is Azure Files?
Digicert CA Certificate Data Engineering www.digicert.com

cacerts.digicert.com

HTTPS

Azure authentication

TCP/443 Fetching TLS CA for Azure MySQL DB secure connection